CN102314564A - Unified grading safety method and system for multi-service system - Google Patents

Unified grading safety method and system for multi-service system Download PDF

Info

Publication number
CN102314564A
CN102314564A CN2010102223557A CN201010222355A CN102314564A CN 102314564 A CN102314564 A CN 102314564A CN 2010102223557 A CN2010102223557 A CN 2010102223557A CN 201010222355 A CN201010222355 A CN 201010222355A CN 102314564 A CN102314564 A CN 102314564A
Authority
CN
China
Prior art keywords
password
user
rule
user account
switching strategy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2010102223557A
Other languages
Chinese (zh)
Other versions
CN102314564B (en
Inventor
傅士光
宋琦
代黎明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201010222355.7A priority Critical patent/CN102314564B/en
Publication of CN102314564A publication Critical patent/CN102314564A/en
Application granted granted Critical
Publication of CN102314564B publication Critical patent/CN102314564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to a unified grading safety method and a unified grading safety system for a multi-service system. The method comprises the following steps of: judging whether a password rule of a user account changes or not; when the password rule of the user account changes, searching a corresponding password conversion strategy identity (ID) in an association relationship between a user set and a password conversion strategy according to user information of the user account, wherein the user information comprises a user ID, a role or a service system ID; and when the corresponding password conversion strategy ID is found, determining a new password rule ID of the user account according to the found password conversion strategy ID. During system integration, a password conversion strategy with a higher safety level is allocated for a certain user, a user in a certain role or a user in a certain system in the association relationship between the user set and the password conversion strategy according to different particle sizes, and the overall safety level of a password of the certain user, the user in the certain role or the user in the certain system can be improved.

Description

Unified the classification safety method and the system of multiservice system
Technical field
The present invention generally relates to the security strategy of classification, relates more specifically to a kind of unified classification safety method of multiservice system and the unified user management and the verification system of device and a kind of multiservice system.
Background technology
In enterprise-level application, integrate and when realizing unified user's login authentication, tend to run into a plurality of operation system Crypted password algorithms and the inconsistent problem of complexity demand when doing to a plurality of operation system accounts.In addition, in operation system,, in user cipher rule and checking, there is the demand for security of different stage according to systemic-function importance or dangerous difference.
When operation system was integrated, prior art generally was the proof rule that keeps original system, carried out password authentification to integrating the number of the account of coming in.But have following 2 shortcomings like this at least: 1, can't be according to different grain size (like unique user, certain role's the user or the user of certain system) adjustment user's cipher safety requirement and user's password authentification mode; And 2, the user that can't accomplish different rights/role is to stricter/other security set of classification of loosening of password.
Therefore, exist for the demand that can realize the multiservice system account is carried out the method and system of unified branch level security adjustment.
Summary of the invention
In order to address the above problem; A kind of unified classification safety method and system of multiservice system are provided; Its support with different granularities (such as; User's granularity, role's granularity and system granular) configure user colony (such as, a certain user, certain role and a certain system) use the password switching strategy (such as, complexity requires and proof rule); Make the user of different user colony use the Password Policy of corresponding level, thereby guarantee security of system according to the different security requirements of systemic-function.
According to an aspect of the present invention, a kind of unified classification safety method of multiservice system may further comprise the steps: whether the password rule of confirming user account changes; When the password rule of user account changes, in the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the user profile of this user account, this user profile comprises ID, role or operation system ID; And when finding corresponding password switching strategy ID, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
Preferably; Unified classification safety method according to multiservice system of the present invention; Confirm that according to the password switching strategy ID that finds the new password rule ID of this user account further may further comprise the steps: with the level of security of the current password rule ID of this user account as first level of security; The level of security that is provided with in the incidence relation with user set and password switching strategy is as second level of security, and checks whether first level of security is lower than second level of security; When being not less than, with the current password rule ID of this user account new password rule ID as this user account; And when being lower than,, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
Preferably; According to the unified classification safety method of multiservice system of the present invention, confirm that according to the password switching strategy ID that finds the new password rule ID of this user account further may further comprise the steps: check whether the new password rule ID among this password switching strategy ID is consistent with the current password rule ID of this user account; When unanimity, with the current password rule ID of this user account new password rule ID as this user account; When inconsistent; The level of security that is provided with in the incidence relation with user's set and password switching strategy is as second level of security; The level of security of the new password rule ID among this password switching strategy ID as the 3rd level of security, and is checked whether the 3rd level of security is lower than second level of security; When being lower than, with the current password rule ID of this user account new password rule ID as this user account; And when being not less than, with the new password rule ID of the new password rule ID among this password switching strategy ID as this user account.
When user's login or modification password, carry out unified classification safety method according to multiservice system of the present invention.
According to a further aspect in the invention, a kind of unified classification safety feature of multiservice system comprises: the password rule changes confirms parts, is used for confirming whether the password rule of user account changes; The password switching strategy is confirmed parts; Be used for when the password rule of user account changes; In the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the user profile of this user account, this user profile comprises ID, role or operation system ID; And the definite parts of new password rule, be used for when finding corresponding password switching strategy ID, confirming the new password rule ID of this user account according to the password switching strategy ID that finds.
Preferably; Unified classification safety feature according to multiservice system of the present invention; Said new password rule confirms that parts further are configured to: with the level of security of the current password rule ID of this user account as first level of security; The level of security that is provided with in the incidence relation with user set and password switching strategy is as second level of security, and checks whether first level of security is lower than second level of security; When being not less than, with the current password rule ID of this user account new password rule ID as this user account; When being lower than,, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
Preferably; According to the unified classification safety feature of multiservice system of the present invention, said new password rule confirms that parts further are configured to: check whether the new password rule ID among this password switching strategy ID is consistent with the current password rule ID of this user account; When unanimity, with the current password rule ID of this user account new password rule ID as this user account; When inconsistent; The level of security that is provided with in the incidence relation with user set and password switching strategy as second level of security with the level of security of the new password rule ID among this password switching strategy ID as the 3rd level of security, and check whether the 3rd level of security is lower than second level of security; When being lower than, with the current password rule ID of this user account new password rule ID as this user account; And when being not less than, with the new password rule ID of the new password rule ID among this password switching strategy ID as this user account.
User's set is provided with according to user's granularity, role's granularity or system granular by the system manager with the incidence relation of password switching strategy.The priority of user's granularity is higher than the priority of role's granularity, and the priority of role's granularity is higher than the priority of system granular.
According to another aspect of the invention; A kind of unified classification safety method of multiservice system; May further comprise the steps: in the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the operation system ID of operation system under the log-on message of registered user input and the user, this log-on message comprises user's role; When can not find corresponding password switching strategy ID, utilize the password switching strategy ID of password default strategy ID as correspondence; And the password rule ID of the new password rule ID among the password switching strategy ID of correspondence being confirmed as the registered user.
In accordance with a further aspect of the present invention; A kind of unified classification safety feature of multiservice system; Comprise: the password switching strategy is confirmed parts; Be used for searching corresponding password switching strategy ID in user's set with the incidence relation of password switching strategy according to the operation system ID of operation system under the log-on message of registered user input and the user; And when can not find corresponding password switching strategy ID, utilize the password switching strategy ID of password default strategy ID as correspondence, this log-on message comprises user's role; And password rule confirms parts, is used for the new password rule ID of the password switching strategy ID of correspondence is confirmed as registered user's password rule ID.
In accordance with a further aspect of the present invention; A kind of unified user management and verification system of multiservice system; Comprise: user interface component is used to receive the information of user's input and to user's output notice signal, the information of user's input comprises account name and password at least; User account database, the relevant information that is used to store user account; Account and password authentification parts are used for the account name and the password of user's input are verified; And unified classification safety feature; Whether the password rule that is used for confirming listed user account changes and when confirming that the password rule changes, confirms the new password rule of this user account, and the new password rule that is used for confirming the user account of new registration.
According to unified the classification safety method and the device of multiservice system of the present invention, when system combination, can improve a certain user, certain authority/role's user, or the level of security of the user's of a certain system whole password respectively according to different granularities.Through in the incidence relation of user set and password switching strategy be said a certain user, certain authority/role the user, or the user of a certain system dispose the password switching strategy of higher level of security.Said a certain user, certain authority/role's user, or the user of a certain system logins or when changing password; Notify said a certain user, certain authority/role the user, or the user of a certain system according to the password rule of higher level of security password is set, thereby satisfy higher security requirement.
Unified classification safety method and system according to multiservice system of the present invention pass through according to system granular adjustment user's cipher safety requirement and user's password authentification mode; Can use the different encrypted mode to different business systems, and needn't keep the proof rule of former operation system.
In addition; Require the password authentification mode with the user according to the unified classification safety method of multiservice system of the present invention and system through cipher safety, can accomplish different rights/role's user other security set of classification the more strictness of password/loosen according to role's granularity adjustment user.
Further; Unified classification safety method and system according to multiservice system of the present invention; When authority/role of user changes, can use stricter other security set of classification to this user, make this user its password is set according to stricter security requirement.
Description of drawings
In conjunction with advantages following detailed description the in detail of the present invention, these of present principles will become clear with others, feature and advantage, in the accompanying drawings,
Fig. 1 a shows the diagram of the password rule that each operation system is used respectively when having a plurality of operation system;
Fig. 1 b shows the framework map that utilizes unified user management and verification system the user account of a plurality of operation systems to be carried out unified management and checking;
Fig. 1 c shows according to the unified user management of the present invention and the block diagram of verification system;
Fig. 2 shows the block diagram according to the unified classification safety feature first embodiment of the present invention, multiservice system;
Fig. 3 shows the process flow diagram according to the unified classification safety method first embodiment of the present invention, multiservice system;
Fig. 4 shows the block diagram of unified classification safety feature according to a second embodiment of the present invention, multiservice system; And
Fig. 5 shows the process flow diagram of unified classification safety method according to a second embodiment of the present invention, multiservice system.
Run through each accompanying drawing, adopt similar Reference numeral to represent same or analogous parts.
Embodiment
Shown in Fig. 1 a, S1, S2, S3 ..., Sn is respectively operation system independently, wherein the account password cipher mode of each operation system can be identical or different.For example, the account password cipher mode of operation system S1 is md5 (num), and password (num) is 6 bit digital; The account password cipher mode of S2 operation system is md5 (key+num), and password (key+num) is upper and lower case letter+6 bit digital; And the account password cipher mode of S3 operation system is the cipher mode according to the classification of different level of securitys; Wherein, The password of level of security level-0 is 6 bit digital, and the password of level of security level-1 is a upper and lower case letter, and the password of level of security level-2 is an one-time pad etc.
Shown in Fig. 1 b, by unified user management and verification system to S1, S2, S3 ..., the user account of the Sn unified management and the checking that realize.The unified classification safety method of multiservice system of the present invention is based on this background with device and proposes.
Before describing the principle of the invention in detail, be given the following data layout that realization unified classification safety method according to the present invention and device define earlier: password rule, password switching strategy, user gather and the incidence relation and the user account of password switching strategy.
Table 1 shows the definition according to password rule of the present invention.
Password rule (Pwd_Rule)
The password rule ID
The description of password rule
The related data of password rule
The computational logic of password rule
The level of security (SecureLevel) of password rule
Table 1 password rule
As shown in table 1; Password rule (Pwd_Rule) comprise the description of sign (password rule ID), this password rule of this password rule, the computational logic of this password rule (such as; Make how to come authentication password, how password is set (comprising minimum length and the one-time pad etc. that upper and lower case letter adds numeral, password at least) such as, password), the related data of this password rule and the level of security (SecureLevel) of this password rule.
Table 2 shows the definition according to password switching strategy of the present invention.
Password switching strategy (Pwd_Policy)
Password switching strategy ID
The description of password switching strategy
Current password rule ID (CurrentRuleID)
The new password rule ID
Table 2 password switching strategy
As shown in table 2, comprise the sign (password switching strategy ID) of this password switching strategy in the password switching strategy (Pwd_Policy), to description and the current password rule ID of this password switching strategy and the new password rule ID that will be transformed into of this password switching strategy.The conversion of password rule is generally carried out when revising password or login.
Table 3 shows the definition according to the incidence relation of user's set according to the present invention and password switching strategy.
Figure BSA00000181868600061
The incidence relation of table 3 user set and password switching strategy
As shown in table 3, user's set comprises the sign (incidence relation ID) of this incidence relation, the description of this incidence relation, the mark (RefTag) of this user's set, the type (RefType) of this user's set, the level of security (SecureLevel) of this user's set and the password switching strategy ID of this user set with the incidence relation (UserSet_Policy_Map) of password switching strategy.
User's set can be single number of the account, can be predefined certain role's of system account, perhaps can be the account of certain operation system.The type (RefType) of user's set has defined the granularity of this user's set, particularly, and account's granularity, role's granularity or operation system granularity.Corresponding with the type (RefType) of user's set, it specifically is which account, any role or which operation system that the mark (RefTag) of user's set has defined this user's set.In addition, the priority of RefTag order from high to low is following: account-role-operation system.For example, the value that in the value of RefType is " account " and RefTag is under the situation of " Mike ", and this user's set is restricted to the unique user account of account for " Mike "; The value that in the value of RefType is " role " and RefTag is under the situation of " Role_Admin ", and this user's set is restricted to role's all user accounts for " Role_Admin "; And in the value of RefType be the value of " system " and RefTag under the situation of " S1 ", this user's set is restricted to all user accounts that operation system S1 is had.
In addition; For each user's set; Its password rule can only be transformed into to have and equate or the password rule of higher SecureLevel, and therefore, each user's set can only equate or the regular password switching strategy of password of higher SecureLevel is associated with having.
Table 4 shows the definition according to user account of the present invention.
User account (Account)
ID (UserID)
Current password rule ID (CurrentRuleID)
Verification strategy (CheckPolicy)
?......
Table 4 user account
As shown in table 4, user account (Account) comprises the ID (UserID) of this user account, the current password rule ID (CurrentRuleID) of this user account and the verification strategy (CheckPolicy) of this user account.
CheckPolicy is if equal 1, and variation possibly take place the password rule that then indicates this user account, needs its new password rule of verification, and after checking the password rule, this mark position is set to 0.In addition, user account can also comprise operation system under the user role, user or the like information.
Be incorporated into unified user management and verification system is an example with S1, S2 and S3 operation system account, principle of the present invention is described.
For example; User in former S1, S2 and the S3 operation system access to your password respectively regular RS1, RS2 and RS3; In the unified user management and verification system after integration; For user's rank safe in utilization of ROLE-ADMIN is the password rule of level-3, use the regular RCOMMON of unified password for role in the S1 system for the user in other user in the S1 system and S2 and the S3 system.The system manager is according to the incidence relation of above-mentioned password rule transformational relation configure user set with the password switching strategy, and the CheckPolicy of the user account that is associated with the incidence relation of password switching strategy with user's set of being disposed is set to 1.
In unified user management and verification system, the incidence relation and the user account of allocation of code rule, password switching strategy, user's set and password switching strategy as follows.
The password rule:
RS1, the system password rule of description=S1, < with the relevant data of this password rule >, < computational logic of this password rule >, SecureLevel=0
RS2, the system password rule of description=S2, < with the relevant data of this password rule >, < computational logic of this password rule >, SecureLevel=0
RS3, the system password rule of description=S3, < with the relevant data of this password rule >, < computational logic of this password rule >, SecureLevel=0
RULE-3, description=SecureLevel are 3 password rule, < with the relevant data of this password rule >, < computational logic of this password rule >, SecureLevel=3
The password switching strategy:
PS1, describe=with the password rule RS1 regular RCOMMON that goes cipher, current password rule ID=RS1, new password rule ID=RCOMMON
PS2, describe=with the password rule RS2 regular RCOMMON that goes cipher, current password rule ID=RS2, new password rule ID=RCOMMON
PS3, describe=with the password rule RS3 regular RCOMMON that goes cipher, current password rule ID=RS3, new password rule ID=RCOMMON
P-3, describe=with the password rule RS1 regular RULE-3 that goes cipher, current password rule ID=RS1, new password rule ID=RULE-3
The incidence relation of user's set and password switching strategy:
M-3 describes=be account's set of ROLE-ADMIN switching strategy P-3 that accesses to your password, refTag=ROLE-ADMIN, refType=role, password switching strategy ID=P-3, SecureLevel=3 for the role
MS1, describe=for account's set of the S1 of system switching strategy PS1 that accesses to your password, the A of refTag=system, refType=system, password switching strategy ID=PS1, SecureLevel=0
MS2, describe=for account's set of the S2 of system switching strategy PS2 that accesses to your password, the B of refTag=system, refType=system, password switching strategy ID=PS2, SecureLevel=0
MS3, describe=for account's set of the S3 of system switching strategy PS3 that accesses to your password, the C of refTag=system, refType=system, password switching strategy ID=PS3, SecureLevel=0
User account:
UserID=678, CurrentRuleID=RS1, CheckPolicy=1 ... and user role is ROLE-ADMIN
Shown in Fig. 1 c, unified user management and verification system comprise user interface component 110, user account database 120, account and password authentification parts 130 and unified classification safety feature 140.
User interface component 110 is used to receive the various information of user's input of operation system; Such as: user account names and password; And send various notification messages to the user: such as, indicate the message of the non-existent message of this user account, indication login failure, the message and the indication password of indication user's modification password to revise failure etc.User account database 120 is used to store the relevant information of user account.Account and password authentification parts 130 are used for the user account names and the password of user's input are verified, and verify when the user imports new password whether the new password of this user's input meets the requirements.
Suppose to be familiar with correlation technique, be not described in detail at this, thereby make the principle of the invention more clear about user's login and user account and password authentification.
First embodiment
As shown in Figure 2, comprise according to the unified classification safety feature 140 of the multiservice system of first embodiment of the invention that the password rule changes and confirm that parts 2401, password switching strategy confirm that parts 2402, new password rule confirm that parts 2403, new password Policy Updates parts 2404 and verification strategy sign are provided with parts 2405.
Whether the password rule changes the password rule of confirming parts 2401 definite users and changes.When the password rule of confirming the user changed, the password switching strategy was confirmed the password switching strategy of parts 2402 definite user ciphers.After having confirmed the password switching strategy of user cipher, the new password rule is confirmed parts 2403 definite users' new password rule.When user's new password rule was different from user's current password rule, new password Policy Updates parts 2404 were this new password rule with user's current password Policy Updates.The verification strategy sign that verification strategy sign is provided with parts 2405 user accounts is set to zero.
As shown in Figure 3, be example with user account " Catherine " the registering service S1 of system of the operation system S1 before integrating and according to new password rules modification password, come the unified classification safety method of illustration according to first embodiment of the invention.
The user of operation system S1 before integrating imports account name " Catherine " and passwords at step S315 via user interface component 110, to login.At step S320; Whether the user management that this is unified and the account of verification system and password authentification parts 130 inspection user account databases 120 are so that exist the user account corresponding to this user account names " Catherine " among the operation system S1 before confirming to integrate.If this user account does not exist, then at step S325, user interface component 110 indicates this user account not exist to the user.Otherwise if this user account exists, then at step S330, account and password authentification parts 130 obtain UserID, CurrentRuleID and the CheckPolicy of this user account from user account database 120.At step S335, account and password authentification parts 130 are according to current password rule checking user account names and password.At step S340, judge whether checking is successful.If authentication failed, in step 345, user interface component 110 is returned login failure information to the user.
If verify successfully, then begin to carry out unified safety classification method according to first embodiment of the invention.Is it 1 that the password rule changes the CheckPolicy that confirms parts 2401 these user accounts of inspection in step 350? If CheckPolicy is not 1, represent that then the password rule of this user account does not change, this method proceeds to step S399.Otherwise, if CheckPolicy is 1, represent that then variation possibly take place the password rule of this user account, need its new password rule of verification, this method proceeds to step S355.At step S355, the password switching strategy confirms that parts 2402 search corresponding password switching strategy ID according to the user profile of this user account in UserSet_Policy_Map, and this user profile can be ID, role or operation system ID or the like.If do not find corresponding password switching strategy ID, then this method proceeds to S395, and verification strategy sign is provided with parts 2405 CheckPolicy is updated to 0.
If found corresponding password switching strategy ID; Then this method proceeds to S360, and the new password rule confirms whether the SecureLevel of the CurrentRuleID of parts 2403 these user accounts of inspection is lower than SecureLevel corresponding among the UserSet_Policy_Map.If the SecureLevel of the CurrentRuleID of this user account is not less than SecureLevel corresponding among the UserSet_Policy_Map; Then this method proceeds to step S375, and will be regular as the new password of this user account with the current password rule of this user account.
Otherwise; If the SecureLevel of the CurrentRuleID of this user account is lower than SecureLevel corresponding among the UserSet_Policy_Map; Then this method proceeds to step S365; The definite parts 2403 of new password rule check according to the password switching strategy ID that is found whether the new password rule ID of this password switching strategy ID is consistent with the CurrentRuleID of this user account.If consistent, then this method proceeds to step S395, and verification strategy sign is provided with parts 2405 CheckPolicy is updated to 0.
Otherwise if inconsistent, then this method proceeds to step S370, and the new password rule confirms whether the SecureLevel of the new password rule ID of parts 2403 this password switching strategy of inspection ID is lower than SecureLevel corresponding among the UserSet_Policy_Map.If the SecureLevel of the new password rule ID of this password switching strategy ID is lower than SecureLevel corresponding among the UserSet_Policy_Map; Then this method proceeds to step S375, and will be regular as the new password of this user account with the current password rule of this user account.
Otherwise; If the SecureLevel of the new password rule ID of this password switching strategy ID is not less than SecureLevel corresponding among the UserSet_Policy_Map; Then this method proceeds to step S380; Will be regular as the new password of this user account with the current password rule of this user account, and prompting user's modification password.Then, in step S385, whether account and password authentification parts 130 successfully import new password according to the new password rule checking user of this user account.If successfully do not import new password, at step S389, user interface component 110 is returned password and is revised failure information, and how the prompting user revises password.If successfully import new password; At step S390; Current password Policy Updates parts 2404 are updated to the new password rule ID among the corresponding Password Policy ID with the CurrentRuleID of this user account; And verification strategy sign is provided with parts 2405 CheckPolicy and is set to zero, so that prevent next rechecking.
For example; Password rule being the user account of ROLE-ADMIN with the role of S1 system converts under the situation of new password rule; User account for user account Amy by name: UserID=678, CurrentRuleID=RS1, CheckPolicy=1 ... and user role is ROLE-ADMIN, owing in the incidence relation of configure user set and password switching strategy, there is the following priority relationship of RefType: the role has precedence over system.Therefore, when the login of this user account, account and password authentification parts 130 step S320, S335 and S340 good authentication after the user account names and password of input, begin to carry out unified classification safety method according to first embodiment of the invention.At step S350, it is 1 that the password rule changes the CheckPolicy that confirms parts 2401 definite these user accounts.Then; In step S355; The password switching strategy confirms that the password switching strategy ID that parts 2402 find corresponding to this user account is P-3 in UserSet_Policy_Map; And in step S360, the new password rule confirms that the SecureLevel (0) of the CurrentRuleID (RS1) of parts 2403 definite these user accounts is lower than the corresponding SecureLevel (3) that in UserSet_Policy_Map, disposes.In step S365, the new password rule confirms that the CurrentRuleID (RS1) of parts 2403 definite these user accounts is different from the new password rule (RULE-3) among the Password Policy ID (P-3).In step S370, the new password rule confirms that the SecureLevel (3) of parts 2403 definite new password rules (RULE-3) is not less than SecureLevel (3) corresponding among the UserSet_Policy_Map.Then, in step S380, the new password rule confirms that the new password rule ID of parts 2403 definite these user accounts is consistent with the new password rule ID in this password switching strategy, and Subscriber Interface Module SIM 110 prompting user's modification passwords.Treat that the user successfully revises after the password; At step S390; Current password Policy Updates parts 2404 are updated to new password rule ID (RULE-3) with the CurrentRuleID of this user account, and check strategy sign is provided with parts 2405 CheckPolicy and is set to zero.
In addition, after the user's modification password, in step S385, account and password authentification parts 130 password after according to new password rule checking user's modification.If not good authentication, then in step S389, Subscriber Interface Module SIM 110 returns password and revises failure information, and to user prompt how password is set.
According to the first embodiment of the present invention, the user account database of each operation system before will integrating in advance is stored in the unified user management and verification system.In this case; Realize unified verification management by unified user management and verification system to the user of each operation system; Therefore; Even safeguard that in each operation system unified user management and verification system still can obtain the relevant information such as UserID, CurrentRuleID and CheckPolicy of login user under the perhaps busy situation.
In addition; According to the first embodiment of the present invention, can according to different granularities (such as, user's granularity, role's granularity and system granular) configure user colony (such as; A certain user, certain role and a certain system) use the password switching strategy (such as; Complexity requires and proof rule), make the user of different user colony use the Password Policy of corresponding level, thereby guarantee security of system according to the different security requirements of systemic-function.Therefore, when system combination, can improve a certain user, certain role's user, or the level of security of the user's of a certain system whole password respectively according to different granularities.In addition, when user's role changes, also can use stricter other security set of classification to this user.
Although in the first embodiment of the present invention;, the user of operation system judges by unified classification safety feature whether it need revise password and confirm its new password rule when logining; But those of ordinary skills understand easily; Alternatively, judge by unified classification safety feature whether it need revise password and confirm its new password rule in the time of also its password can being changed the user of operation system.
Second embodiment
When new user registers; The new user that user interface component 110 receives operation system imports necessary log-on message; And send various announcement informations to the user; Such as, the information of information that indication is succeeded in registration and indication registration failure, this necessary log-on message comprises user account names, role and password at least.Unified classification safety feature 140 confirms that according to the role of user's input and the operation system ID of this operation system this new user's new password is regular.Whether the password that account and password authentification parts 130 are imported according to determined new password rule checking user meets the requirements and verifies whether other log-on message of user's input is legal.When the password of user's input meets the requirements, in user account database 120, store this user account for information about, such as, account name, password, role etc.
As shown in Figure 4, comprise that according to the unified classification safety feature 140 of the multiservice system of second embodiment of the invention the password switching strategy confirms that parts 4402 and password rule confirm parts 4403.
The operation system ID that the password switching strategy is confirmed role that parts 4402 provide according to registration and this operation system searches corresponding password switching strategy ID in the incidence relation of user's set and password switching strategy, and when can not find the password switching strategy ID of correspondence, utilizes the password switching strategy ID of password default strategy ID as correspondence.The definite parts 4403 of password rule are confirmed as the new password rule ID among the password switching strategy ID of correspondence registered user's password rule ID.
As shown in Figure 5, register example as with the new user of operation system S1, come the unified classification safety method of illustration according to second embodiment of the invention.
At step S515, new user is to the necessary informations such as enrollment page input its user account names, password and role that provided for operation system S1 by unified user management and verification system.Then, begin to carry out unified classification safety method according to second embodiment of the invention.
At step S520, the password switching strategy in the unified classification safety feature 140 is confirmed role and the operation system ID (S1) that parts 4402 foundation registrations provide, and in UserSet_Policy_Map, searches corresponding password switching strategy ID.If do not find corresponding password switching strategy ID, then this method proceeds to S530, and the password switching strategy is confirmed parts 4402 with the password switching strategy ID of password default switching strategy ID as correspondence, and this method proceeds to S535.If found corresponding password switching strategy ID; Then this method proceeds to S535, and the definite parts 4403 of new password rule in the unified classification safety feature 140 are confirmed as the new password rule ID among the password switching strategy ID of correspondence registered user's new password rule ID.
Then, at step S540, account and password authentification parts 130 come authentication password according to determined new password rule.If authentication password meets the requirement of new password rule, then this method proceeds to step S545, verifies whether other log-on message is legal.If verify that other log-on message is legal; Then this method proceeds to step S550; Registered user's success, user interface component 110 is returned registered user's successful information, and in the user account database 120 of unified user management and verification system, stores the relevant information of this user account.If if authentication password do not meet new password rule requirement, or verify that other log-on message is illegal, then this method proceeds to step S555, user interface component 110 is returned registration failure and error message, and points out new user how password is set.
According to a second embodiment of the present invention, when operation system is registered, confirm the new user's of each operation system password rule new user by unified user's classification safety method and device.Therefore; Pass through according to role's granularity or system granular adjustment user's cipher safety requirement and user's password authentification mode by unified classification safety method and device; Can use the different encrypted mode to different roles or different service system, thereby realize other security set of classification the user in the different system.
Based on the instruction here, those of ordinary skill in the related art can easily confirm characteristic of the present invention and advantage.The institute that those of ordinary skill in the related art can combination in any comprise in various embodiments of the present invention in steps or parts and needn't all be included in the institute that comprises in the specific embodiment of the present invention in steps or parts in practical implementation.
Although describe example embodiment of the present invention in detail with reference to accompanying drawing here; But be to be understood that; The invention is not restricted to those accurate embodiment; Those of ordinary skill in the related art make various changes and modification easily under the situation that does not depart from scope of the present invention and spirit, and the present invention is easy to have the replacement form.This invention is intended to contain the institute that falls within the spirit and scope of the present invention that limited appended claims changes and modification, equivalent and refill.

Claims (13)

1. the unified classification safety method of a multiservice system may further comprise the steps:
Whether the password rule of confirming user account changes;
When the password rule of user account changes, in the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the user profile of this user account, this user profile comprises ID, role or operation system ID; And
When finding corresponding password switching strategy ID, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
2. unified classification safety method as claimed in claim 1, confirm that according to the password switching strategy ID that finds the new password rule ID of this user account further may further comprise the steps:
With the level of security of the current password rule ID of this user account as first level of security; The level of security that is provided with in the incidence relation with user set and password switching strategy is as second level of security, and checks whether first level of security is lower than second level of security;
When being not less than, with the current password rule ID of this user account new password rule ID as this user account; And
When being lower than,, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
3. according to claim 1 or claim 2 unified classification safety method, wherein, confirm that according to the password switching strategy ID that finds the new password rule ID of this user account further may further comprise the steps:
Check whether the new password rule ID among this password switching strategy ID is consistent with the current password rule ID of this user account;
When unanimity, with the current password rule ID of this user account new password rule ID as this user account;
When inconsistent, the level of security of the new password rule ID among this password switching strategy ID as the 3rd level of security, and is checked whether the 3rd level of security is lower than second level of security;
When being lower than, with the current password rule ID of this user account new password rule ID as this user account; And
When being not less than, with the new password rule ID of the new password rule ID among this password switching strategy ID as this user account.
4. unified classification safety method as claimed in claim 1, wherein, whether the password rule ID of confirming user account changes and may further comprise the steps: in user's login or when revising password, check whether the verification strategy sign of this user account is one;
Said unified classification safety method further comprises:
When not finding corresponding password switching strategy ID, perhaps when the current password rule ID of the new password rule ID of this user account and this user account was identical, verification strategy sign was set to zero; And
At the current password rule ID of the new password rule ID of this user account and this user account not simultaneously; After the user successfully revises password; The current password rule ID of this user account is updated to the new password rule ID of this user account, and verification strategy sign is set to zero.
5. unified classification safety method as claimed in claim 1 wherein, according to user's granularity, role's granularity or system granular, is provided with the incidence relation of user's set and password switching strategy by the system manager; And
The priority of user's granularity is higher than the priority of role's granularity, and the priority of role's granularity is higher than the priority of system granular.
6. the unified classification security system of a multiservice system comprises:
The password rule changes confirms parts, is used for confirming whether the password rule of user account changes;
The password switching strategy is confirmed parts; Be used for when the password rule of user account changes; In the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the user profile of this user account, this user profile comprises ID, role or operation system ID; And
The new password rule is confirmed parts, is used for when finding corresponding password switching strategy ID, confirming the new password rule ID of this user account according to the password switching strategy ID that finds.
7. unified classification security system as claimed in claim 6, said new password rule confirms that parts further are configured to:
With the level of security of the current password rule ID of this user account as first level of security; The level of security that is provided with in the incidence relation with user set and password switching strategy is as second level of security, and checks whether first level of security is lower than second level of security;
When being not less than, with the current password rule ID of this user account new password rule ID as this user account;
When being lower than,, confirm the new password rule ID of this user account according to the password switching strategy ID that finds.
8. like claim 6 or 7 described unified classification safety methods, wherein, said new password rule confirms that parts further are configured to:
Check whether the new password rule ID among this password switching strategy ID is consistent with the current password rule ID of this user account;
When unanimity, with the current password rule ID of this user account new password rule ID as this user account;
When inconsistent, the level of security of the new password rule ID among this password switching strategy ID as the 3rd level of security, and is checked whether the 3rd level of security is lower than second level of security;
When being lower than, with the current password rule ID of this user account new password rule ID as this user account; And
When being not less than, with the new password rule ID of the new password rule ID among this password switching strategy ID as this user account.
9. like the said unified classification security system of claim 6, wherein, the password rule changes confirms that parts are configured to: when user's login or modification password, check whether the verification strategy sign of this user account is one;
Said unified classification security system further comprises:
Verification strategy sign is provided with parts; Be used for when not finding corresponding password switching strategy ID, when the current password rule ID of the new password rule ID of this user account and this user account is identical, or after the user successfully revised password, verification strategy sign was set to zero; And
User account password Policy Updates parts are used for after the user successfully revises password, the current password rule ID of this user account are updated to the new password rule ID of this user account.
10. like the said unified classification safety method of claim 6, wherein,, the incidence relation of user's set and password switching strategy is set by the system manager according to user's granularity, role's granularity or system granular; And
The priority of user's granularity is higher than the priority of role's granularity, and the priority of role's granularity is higher than the priority of system granular.
11. the unified classification safety method of a multiservice system may further comprise the steps:
In the incidence relation of user's set and password switching strategy, search corresponding password switching strategy ID according to the operation system ID of operation system under the log-on message of registered user input and the user, this log-on message comprises user's role;
When can not find corresponding password switching strategy ID, utilize the password switching strategy ID of password default strategy ID as correspondence; And
New password rule ID among the password switching strategy ID of correspondence is confirmed as registered user's password rule ID.
12. the unified classification security system of a multiservice system comprises:
The password switching strategy is confirmed parts; Be used for searching corresponding password switching strategy ID in user's set with the incidence relation of password switching strategy according to the operation system ID of operation system under the log-on message of registered user input and the user; And when can not find corresponding password switching strategy ID, utilize the password switching strategy ID of password default strategy ID as correspondence, this log-on message comprises user's role; And
Password rule is confirmed parts, is used for the new password rule ID of the password switching strategy ID of correspondence is confirmed as registered user's password rule ID.
13. the unified user management and the verification system of a multiservice system comprise:
User interface component is used to receive the information of user's input and to user's output notice signal, the information of user's input comprises account name and password at least;
User account database, the relevant information that is used to store user account;
Account and password authentification parts are used for the account name and the password of user's input are verified; And
Unified classification safety feature; Whether the password rule that is used for confirming listed user account changes and when confirming that the password rule changes, confirms the new password rule of this user account, and the new password rule that is used for confirming the user account of new registration.
CN201010222355.7A 2010-06-30 2010-06-30 The unified classification safety method of multiservice system and system Active CN102314564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010222355.7A CN102314564B (en) 2010-06-30 2010-06-30 The unified classification safety method of multiservice system and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010222355.7A CN102314564B (en) 2010-06-30 2010-06-30 The unified classification safety method of multiservice system and system

Publications (2)

Publication Number Publication Date
CN102314564A true CN102314564A (en) 2012-01-11
CN102314564B CN102314564B (en) 2016-03-16

Family

ID=45427722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010222355.7A Active CN102314564B (en) 2010-06-30 2010-06-30 The unified classification safety method of multiservice system and system

Country Status (1)

Country Link
CN (1) CN102314564B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243215A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 Terminal equipment password management method and system and equipment
CN105187401A (en) * 2015-08-13 2015-12-23 浪潮(北京)电子信息产业有限公司 Method and system for unified login of multiple systems
CN105809024A (en) * 2014-12-31 2016-07-27 航天信息软件技术有限公司 Password setting method and device
WO2017000354A1 (en) * 2015-06-29 2017-01-05 宇龙计算机通信科技(深圳)有限公司 Fingerprint password verification method, system, and terminal
CN104717227B (en) * 2012-06-29 2018-10-09 北京奇虎科技有限公司 A kind of method and apparatus logging in control update log-on message
CN110535885A (en) * 2019-09-29 2019-12-03 北京金山云网络技术有限公司 A kind of account management method, device, server, user terminal and storage medium
CN112287326A (en) * 2020-09-28 2021-01-29 珠海大横琴科技发展有限公司 Security authentication method and device, electronic equipment and storage medium
CN115630125A (en) * 2022-12-22 2023-01-20 成都智元汇信息技术股份有限公司 Method and system for synchronizing accounts of users in systems

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1881228A (en) * 2005-06-14 2006-12-20 华为技术有限公司 Method for controlling system account right
CN1905446A (en) * 2005-07-26 2007-01-31 国际商业机器公司 Client-based method, system to manage multiple authentication
CN101131760A (en) * 2006-08-25 2008-02-27 阿里巴巴公司 Method and system for checking account security
US20090178106A1 (en) * 2008-01-09 2009-07-09 Daw Feng Password policy enforcement in a distributed directory when policy information is distributed

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1881228A (en) * 2005-06-14 2006-12-20 华为技术有限公司 Method for controlling system account right
CN1905446A (en) * 2005-07-26 2007-01-31 国际商业机器公司 Client-based method, system to manage multiple authentication
CN101131760A (en) * 2006-08-25 2008-02-27 阿里巴巴公司 Method and system for checking account security
US20090178106A1 (en) * 2008-01-09 2009-07-09 Daw Feng Password policy enforcement in a distributed directory when policy information is distributed

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104717227B (en) * 2012-06-29 2018-10-09 北京奇虎科技有限公司 A kind of method and apparatus logging in control update log-on message
CN104243215A (en) * 2014-09-28 2014-12-24 北京奇虎科技有限公司 Terminal equipment password management method and system and equipment
CN104243215B (en) * 2014-09-28 2018-07-27 北京奇安信科技有限公司 Method, equipment and the system of terminal device password management
CN105809024A (en) * 2014-12-31 2016-07-27 航天信息软件技术有限公司 Password setting method and device
WO2017000354A1 (en) * 2015-06-29 2017-01-05 宇龙计算机通信科技(深圳)有限公司 Fingerprint password verification method, system, and terminal
CN105187401A (en) * 2015-08-13 2015-12-23 浪潮(北京)电子信息产业有限公司 Method and system for unified login of multiple systems
CN110535885A (en) * 2019-09-29 2019-12-03 北京金山云网络技术有限公司 A kind of account management method, device, server, user terminal and storage medium
CN112287326A (en) * 2020-09-28 2021-01-29 珠海大横琴科技发展有限公司 Security authentication method and device, electronic equipment and storage medium
CN115630125A (en) * 2022-12-22 2023-01-20 成都智元汇信息技术股份有限公司 Method and system for synchronizing accounts of users in systems

Also Published As

Publication number Publication date
CN102314564B (en) 2016-03-16

Similar Documents

Publication Publication Date Title
CN102314564A (en) Unified grading safety method and system for multi-service system
CN108200050B (en) Single sign-on server, method and computer readable storage medium
US9692743B2 (en) Securing organizational computing assets over a network using virtual domains
KR101281882B1 (en) Caller certification method and system for phishing prevention
US8578476B2 (en) System and method for risk assessment of login transactions through password analysis
JP3959441B2 (en) Management system, management server, and management program
CN101183932B (en) Security identification system of wireless application service and login and entry method thereof
CN111541656A (en) Identity authentication method and system based on converged media cloud platform
CN108270551B (en) Security service construction system on block chain
US8261336B2 (en) System and method for making accessible a set of services to users
CN103516718A (en) Identity risk score generation and implementation
CN1993921A (en) Enhanced security using service provider authentication
CN105207780B (en) A kind of certification user method and device
JP2010518506A (en) Mixed payment and communication service method and system
CN107634973B (en) Service interface safe calling method
CN109564600B (en) Authentication based on phone number looping
CN101883106A (en) Network access authentication method and server based on digital certificate
CN103096316A (en) Terminal, network side equipment system and method for authenticating user identification card
US11765153B2 (en) Wireless LAN (WLAN) public identity federation trust architecture
CN106161003A (en) Application program login method and terminal, system
CN102868702A (en) System login device and system login method
JP2009157640A (en) User authentication method and system
CN114553440B (en) Cross-data center identity authentication method and system based on block chain and attribute signature
CN101777992A (en) Method, equipment and system for logging in gateway
KR20200125279A (en) User Identification Method Using Block Chain and System thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant